Here’s something I suggest you ensure is enabled in all Office 365 tenants.
Visit the Office 365 Security and Compliance center as an administrator. From the menu on left, select the Search & investigation heading. From the items that appear select Audit log search.
If your audit logging hasn’t been enable you see a hyperlink on the right that says Start recording user and admin activity. If that link is visible, then select it as shown above.
You will then receive the above confirmation. Select Turn on.
You’ll be taken back to the Audit log search page where you’ll see a message telling you that logging is being enabled.
When that process is complete return to the Audit log search and select the Activities drop down.
You’ll now be able to audit a huge range of activities and produce a report, like this –
Here, I’ve run a report to display any files that have been accessed. From the results I can see the user, IP address and the file that was accessed.
You can now also set up an alert on any of these activities.
To do this, select the Alerts option on the left in the Security & Compliance center. From the items that appear select Manage alerts.
On the right select the + New alert policy button.
Set the Alert Type to Custom.
Select the Send this alert when… option and again choose the activity for the alert. The available options should be pretty much the same as you saw before with the audit logs.
Then choose which users you wish the alert to apply to as well as an email address to send the alert to.
As with all alert settings ensure that you don’t make these too general because you’ll end up getting too many alerts and end up spamming yourself.
The important thing here is that auditing is no enabled by default. The best practice recommendation is therefore to go and turn it on so you can audit activity in your tenant.